summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAttila Molnar <attilamolnar@hush.com>2016-08-08 16:42:54 +0200
committerAttila Molnar <attilamolnar@hush.com>2016-08-08 16:42:54 +0200
commita86e320ac19fbbd6034d0447f048beb8b4a0ad1d (patch)
tree717c8ed61ec462196d206471899fc47e25c05c59
parent40e42a47a7b1f12bb0a9e20c3fa1d9bdccd85c04 (diff)
m_ssl_* Add option to sslprofile controlling whether to request client certificates
-rw-r--r--src/modules/extra/m_ssl_gnutls.cpp17
-rw-r--r--src/modules/extra/m_ssl_mbedtls.cpp20
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp11
3 files changed, 39 insertions, 9 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index dfd3b47dd..bda4e6a48 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -583,16 +583,21 @@ namespace GnuTLS
*/
const unsigned int outrecsize;
+ /** True to request a client certificate as a server
+ */
+ const bool requestclientcert;
+
Profile(const std::string& profilename, const std::string& certstr, const std::string& keystr,
std::auto_ptr<DHParams>& DH, unsigned int mindh, const std::string& hashstr,
const std::string& priostr, std::auto_ptr<X509CertList>& CA, std::auto_ptr<X509CRL>& CRL,
- unsigned int recsize)
+ unsigned int recsize, bool Requestclientcert)
: name(profilename)
, x509cred(certstr, keystr)
, min_dh_bits(mindh)
, hash(hashstr)
, priority(priostr)
, outrecsize(recsize)
+ , requestclientcert(Requestclientcert)
{
x509cred.SetDH(DH);
x509cred.SetCA(CA, CRL);
@@ -663,7 +668,10 @@ namespace GnuTLS
#else
unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
#endif
- return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl, outrecsize);
+
+ const bool requestclientcert = tag->getBool("requestclientcert", true);
+
+ return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl, outrecsize, requestclientcert);
}
/** Set up the given session with the settings in this profile
@@ -674,8 +682,9 @@ namespace GnuTLS
x509cred.SetupSession(sess);
gnutls_dh_set_prime_bits(sess, min_dh_bits);
- // Request client certificate if we are a server, no-op if we're a client
- gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
+ // Request client certificate if enabled and we are a server, no-op if we're a client
+ if (requestclientcert)
+ gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
}
const std::string& GetName() const { return name; }
diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp
index 845d02aa3..a465d06ee 100644
--- a/src/modules/extra/m_ssl_mbedtls.cpp
+++ b/src/modules/extra/m_ssl_mbedtls.cpp
@@ -257,7 +257,6 @@ namespace mbedTLS
mbedtls_debug_set_threshold(INT_MAX);
mbedtls_ssl_conf_dbg(&conf, DebugLogFunc, NULL);
#endif
- mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
// TODO: check ret of mbedtls_ssl_config_defaults
mbedtls_ssl_config_defaults(&conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
@@ -308,6 +307,11 @@ namespace mbedTLS
mbedtls_ssl_conf_ca_chain(&conf, certs.get(), crl.get());
}
+ void SetOptionalVerifyCert()
+ {
+ mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+ }
+
const mbedtls_ssl_config* GetConf() const { return &conf; }
};
@@ -376,7 +380,8 @@ namespace mbedTLS
const std::string& castr, const std::string& crlstr,
unsigned int recsize,
CTRDRBG& ctrdrbg,
- int minver, int maxver
+ int minver, int maxver,
+ bool requestclientcert
)
: name(profilename)
, x509cred(certstr, keystr)
@@ -414,7 +419,13 @@ namespace mbedTLS
serverctx.SetDHParams(dhparams);
}
- serverctx.SetCA(cacerts, crl);
+ clientctx.SetOptionalVerifyCert();
+ // The default for servers is to not request a client certificate from the peer
+ if (requestclientcert)
+ {
+ serverctx.SetOptionalVerifyCert();
+ serverctx.SetCA(cacerts, crl);
+ }
}
static std::string ReadFile(const std::string& filename)
@@ -451,7 +462,8 @@ namespace mbedTLS
int minver = tag->getInt("minver");
int maxver = tag->getInt("maxver");
unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
- return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver);
+ const bool requestclientcert = tag->getBool("requestclientcert", true);
+ return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver, requestclientcert);
}
/** Set up the given session with the settings in this profile
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 4ad556438..4df0d8962 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -132,7 +132,7 @@ namespace OpenSSL
mode |= SSL_MODE_RELEASE_BUFFERS;
#endif
SSL_CTX_set_mode(ctx, mode);
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_info_callback(ctx, StaticSSLInfoCallback);
}
@@ -206,6 +206,11 @@ namespace OpenSSL
return SSL_CTX_clear_options(ctx, clearoptions);
}
+ void SetVerifyCert()
+ {
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+ }
+
SSL* CreateServerSession()
{
SSL* sess = SSL_new(ctx);
@@ -345,6 +350,10 @@ namespace OpenSSL
ERR_print_errors_cb(error_callback, this);
ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", filename.c_str(), lasterr.c_str());
}
+
+ clictx.SetVerifyCert();
+ if (tag->getBool("requestclientcert", true))
+ ctx.SetVerifyCert();
}
const std::string& GetName() const { return name; }